Linux Kernel NFS Reference Leak Vulnerability in NFSD

A reference leak vulnerability has been identified in the Linux kernel's NFS server component (NFSD). This issue arises when two concurrent calls to 'nfsd_open_local_fh()' successfully acquire file references, leading to an extra net reference being created. One call may fail to properly store the file reference, resulting in a dropped reference while the net reference remains, causing a hang during NFS server shutdown. The vulnerability affects the Linux kernel stable tree.

Impact

The reference leak causes the NFS server to hang during shutdown, waiting for the net references to be released, which can lead to prolonged system downtime.

Reproduction

To reproduce this vulnerability, initiate two concurrent calls to 'nfsd_open_local_fh()' in the NFS server. Both calls should successfully acquire local file references, creating an additional net reference for each. One call will fail to store its file reference properly, leading to a dropped file reference while the net reference remains active. When the NFS server is shut down, it will hang, waiting for the unreleased net reference to be freed, demonstrating the reference leak.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can apply the latest patches available in the Linux kernel stable tree to remediate this issue.